[Winpcap-users] How to save packets to a file?

Guy Harris guy at alum.mit.edu
Wed May 18 18:42:42 GMT 2005


He Zhiyu wrote:

> 1. I printed the content of the whole packet in Hex,and I should print 
> them in ASCII.I tried to use "%c" in a circle to print them,but the 
> result looks very strange.Anything was wrong with the format string "%c"?

Yes - it assumes that all bytes in the packet are printable characters. 
  That is not necessariy the case.

Other programs that show the packet data in ASCII, such as tcpdump and 
Ethereal, show non-printable characters as "."  You might want to do 
something such as

	isprint(c) ? c : '.'

which is an expression that evaluates to "c" (the byte from the packet) 
if "c" is a printable character, and "." if it's not a printable 
character.  (Include <ctype.h> to get "isprint()" defined.)

> 2. I printed the header->len and the header->caplen,they are always the 
> same.What's the differences between them?

header->len is the length of the packet as received by the machine.

header->caplen is the number of bytes in the packet that you received 
from libpcap.  If, for example, you set the "snapshot length" to 128 in 
a "pcap_open_live()" or "pcap_open()" call, for any packet longer than 
128 bytes, you will get only the first 128 bytes of the packet, so 
header->len will be the actual length of the packet, but header->caplen 
will be 128.  If you set the snapshot length to a value >= the maximum 
packet size, header->caplen will always be equal to header->len.




More information about the Winpcap-users mailing list